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Abstract 

Algorithm synthesis transforms a formal specification into an efficient algorithm to solve a prob- 
lem. Algorithm synthesis in Specware combines the formal speicifcation of a problem with a high- 
level algorithm strategy. To derive an efficient algorithm, a developer must define operators that 
refine the algorithm by combining the generic operators in the algorithm with the details of the prob- 
lem specification. This derivation requires skill and a deep understanding of the problem and the 
algorithmic strategy. In this paper we introduce two tactics to ease this process. The tactics serve 
a similar purpose to tactics used for determining indefinite integrals in calculus, that is suggesting 
possible ways to attack the problem. 


1 Background 

There have been a variety of approaches to program synthesis (e.g. see [Kre98] for a survey). The 
focus of this paper is an algorithm class called Global Search (GS) [Smi88]. Using this algorithm class, 
Smith and his colleagues have successfully synthesized a number of practical algorithms, including, in 
one case, a scheduler that ran several orders of magnitude faster than comparable hand-written ones 
[SPW95]. The starting point is a specification (D. R. O), where D is an input type, R an output type, and 
0:D Boolean is an output or correctness condition, along with a global search theory extension 

(described below). Then the following program, given an input x, returns a solution z , : R satisfying 
the output condition, if one exists (there are some additional conditions on R which will be explained 
shortly): 

f(x:D) : R = 

if propagate (x , ro (x) )=None then None else gs(x,r) 
gs (x:D, r:R) : R = 

let z=Extract(r) in if z/=None && 0(x,z) then z else gsAux (x , Subspaces (r) ) 
gsAux (x:D, subsKR}) : R = 

if subs=0 then None 

else let (s, rest) = arbsplit (subs) in 

if propagate (s) = None then gsAux (x, rest) 
else let z= gs(x,s) in 

if z = None then gsAux(x,rest) else z 
propagate(x, r) = if <&(x,r) then iterateToFixedPoint ( t/z , x, r) else None 
iterateToFixedPoint (f , x, r) = 

let fr = f(x,r) in if FP?(fr,r) then fr else iterateToFixedPoint (f , x, fr) 

The program is a classic search algorithm. It works by taking an initial space of possible solutions 
(corresponding to the root node of a search tree), and unless it can immediately extract a feasible solution, 
partitioning it into subspaces (corresponding to child nodes), each of which is searched in turn until a 
feasible solution is found. In this paper we provide tactics for synthesizing the operators <f> and y/. 

The remaining functions are defined in the global search theory extension, GS-ext, supplied by the 
developer, which is an algebra over R with the following operators: ro : D — > R returns a descriptor of 
the initial search space, Extract .R — ► R determines whether the given space is terminal and if so, returns 
a solution (otherwise the distinguished element None, denoting an empty space). Subspaces : R — > {/■?) 
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returns a set of subspaces of the current space, 4> : Dx R — > Boolean is a necessary filter - those spaces 
that do not pass <f> need not be examined. It can be any predicate over R satisfying r C z A O(x.z) => 
<T>U. r). C is a refinement relation over R. The intent of C is that if rC s then s is is a subspace 
of r (any solution contained in s is contained in r) and is “more defined” than r . y/ : D x R R is 
called a necessary propagator. It "tightens” a given space to eliminate infeasible solutions and can be 
any predicate satisfying Vz.r C z A O(x.z) =>• y(x. r) C z. When (R, C) forms a lattice, Smith et al. 
[SPW95] show how a monotone inflationary y/ can be iterated from any starting space to a fixpoint 
which is the tightest possible space that still preserves all the original feasible solutions. That is what the 
propagate function in the abstract program above does. An axiomatic definition of GS theory and proof 
of correctness of the abstract program can be found in [Smi88] . 

1.1 A Constraint Satisfaction Theory 

We are developing a specialization of Global Search to solve problems that involve multi-variable Con- 
straint Satisfaction (CS) [Dec03]. Unlike generic constraint solvers [San94], which accept constraints 
as input and find a solution, in our approach the constraint is the output condition of the problem to be 
solved. This constraint is the starting point of algorithm synthesis, not dynamic constraint solving. In 
this way, many of the problems we will look at can be solved by constraint satisfaction, [Dec03]. For this 
reason, it is useful to have a specialization of the GS class for Constraint Satisfaction (CS) problems, 
which we can later extend to each specific problem as needed. 

In a nutshell, constraint satisfaction does the following:: given a set of variables, { 1 ..maxVar}, assign 
a value, drawn from some domain D v , to each variable, in a manner that satisfies some set of constraints. 
The theory which does this, we call CST, is defined below. All other domain specific theories we will 
use will monotonically extend this theory. 

R i — > m : Map(Nat — > D v ) x tbd : {Nat} x ch : Map(Nat i— > {ZD,,}) 

D i— > maxVar : Nat x vals : {£>,,} 

O i — ► Xx,z- dom(z.m) — { 1 ..x. maxVar} 

ro t— > Xx. {m = (A, tbd — { 1 ..x. maxVar}, ch — {(v i— > x.vals) |v G { 1 ..x.maxVar}}) 

Subspaces h- >■ Xx,z- : v — pick(z-tbd) A a G z-ch(v) A z! .m — z-m © {v a} A z! .tbd — z-tbd — {;>}} 

Extract i— > Xz- if Z-tbd — 0 then z else None 
{(z,^)\z-m C z! .m} 

<I> i— > Xx,z- True 
y / 1 ► Xx,z- Z 

In this theory, branching occurs via the subspaces function. The subspaces function, after picking a 
variable from the set of variables not yet assigned a value (tbd), returns the subspaces formed by assigning 
to v each of the possible values (drawn from chi v) ), adding each pair to the map m, and removing v from 
tbd. The initial space r 0 makes all the values in x.vals available to every variable. The choice of which 
variable to pick does not matter functionally, but can have a significant impact on the efficiency of the 
actual program. We will often abbreviate z.m(i ) as %. Now with a definition for D v , and whatever 
conditions are appropriate added to O, the abstract program given earlier becomes a working constraint 
satisfaction solver. The key to making it efficient are appropriate definitions for <f> and y/ ] . This is what 
the next section examines. 


1 Often, further optimizations such as context-dependent simplification, finite differencing, and data structure selection have to 
be carried out before arriving at a final efficient algorithm . However, these latter operations are not the focus of this paper. 
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2 Tactics 

In order to get an efficient final algorithm, the developer must typically find good instantiations of the 
operators <f> and if/. The question of where to begin often arises. For this reason we propose to formulate 
a library of tactics that can be used by a developer attempting to instantiate one of the operators. The 
analogy is with tactics used for integration in calculus. Unlike differentiation, integration has no straight- 
forward algorithm. Rather, there are a number of (some 7 or 8) tactics such as “integration by parts”, 
"integration by partial fractions”, "integration by change of variable”, etc., that can be tried in order to try 
and determine the integral of a given formula. There are of course differences. Unlike integration, there 
is often no one “correct” answer. Also our tactics are often inspired by techniques used in algorithms in 
computer science and operations research, rather than calculus. But the basic principle is the same: to 
package up a number of tedious calculations into a pattern-matching rule. Furthermore, by expressing 
the technique in more abstract form as a tactic, it can be applied to other problem areas, without requiring 
the developer be familiar with the implicit assumptions and notations when the technique is buried inside 
a specific algorithm. The ultimate goal is that a competent developer will be able to use the approach we 
propose here to investigate a variety of solutions to their problem. 

2.1 A Tactic for Calculating <I> 

This tactic helps in constructing <f> (necessary) filters when the feasibility constraint takes a certain form. 
TACTIC 1 . If a conjunct from O matches the form ®j e [Fi(zi) fi K where ® is a monotone associative 
operator, and A forms a meet semi-lattice over range(F), then a possible <I> is one in which the combina- 
tion of value assignments in the partial solution combined (tg>) with the least possible value assignments 
for the remaining variables is fiK. 

The tactic is backed by the following theorem. Note, © denotes extending a partial solution, that is 
z©e means z-m LJ e.m (unless otherwise stated, we will always be assuming domfz.m) fi dom(e.rn) — 0) 

Theorem 1. If 0(x,z) => <5D, C / Ffz.i) A K for some K, some family of functions { F t } . (fj a monotone 
associative operator, and A forms a meet semi-lattice over rng( F), then 

0(x,z@e)=>{ 0 Fj(zi) ® 0 ft) fi K where fi = n aex . vals Fj(a) 

!<«'<#? 1 <i<#e 


Proof 

0(x,z) 

=>- {assumption} 

01 — K 

— {z — z@ e and use associativity of <g > } 

®l<i<#zfi(Zi) <S> 0 l<i<#e Fi( e i) fi K 

=> {replace every /y (<?,•) with fi = n aex . va i s Fi(a) and use polarity) 

<8>l</<#z^(Zi) ® 0 1 <i<#e ,fi fi K 

□ 

Additionally, if Fj is monotone, and x.vals has a least element, then, using the following Quantifier 
Elimination law: n a^aFfa) — Fffi), we can rewrite the last line above as:(^) , <( - <# j Ffz,) ® 0>i <i<# e Ffa) fi 
K where a is the least value of a 6 x.vals. 

A symmetrical result is obtained by replacing A with A, “meet semi-lattice” with “join semi-lattice”, 
a fi a with a A a , and fl with U everywhere in the above theorem. 
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Example 2. 0-1 Integer Linear Programming (01-ILP) 2 

A GSO theory for 01-ILP is obtained by extending CST as follows (only the components that differ 
from CST are shown): D v {0, 1}, D i— ► CST.D x l : Nat x A : Map{{\..l} x {1. .n} i— > Real) x b : 
Map {{\ ..«} i — > Real), O i— ► A(x,z). CST.O{x,z) A (x.A) • (. z.m ) < x.b 

To apply the tactic above, the operator 0 is interpreted as Y. and F, as (A/,,-) for appropriate h , 
over the lattice {Real, <, min, max) . Applying the tactic (but not the final simplification since (A/,,-) is 
not monotone) gives the following filter <h:V/i. 1 <h < 1 . YLiedom(f.m) A /»' • Zi + YLiedom(e.m) (min a6 { 0 x } {A hi • 
a}) < b h which is by case analysis: V/t. 1 <h< l. YiedomCz.m) A fa' ■ A + Ljedom(e.m)( m ' m { A hi ■ 0, A ; „ ■ 1 }) < 
b/j, or after simplifying: 

V/;. 1 < h < l. Y A /» 'Zi + Y (min{0, A/,,}) < b/, 

i£dom(z.m) i£dom(e.m ) 

Using the same tactic we have obtained a filter for the Vehicle Routing Problem (VRP) equivalent to 
one used in algorithm textbooks. The next example shows that the generalization offered by the tactic is 
indeed useful enough to carry over to other qualitatively differet problems. 

Example 3. The Set Covering Problem (SCP) 

Suppose we are given a collection of subsets of a set S, each of which has a certain cost. The SCP 
is the problem of determining the minimum cost collection of subsets that “covers” the original set, ie. 
every element in S is in at least one subset in the resulting collection. The problem has many practical 
applications including airline crew scheduling, facility location, and logic circuit minimization. A GSO 
theory for SCP is obtained by extending CST as follows (only the components that differ from the base 
theory are shown): D v i— > {False , True } , D i— > CST.D x ss : Map{Nat i— > {Id}) , O i— > X(x,z). CST.O A 

Id is some user defined set element type, x.ss returns the actual subset given a variable from 
{ 1 ..x.maxVar) . S, stands for the subset x.ss(i), and S stands for \Jie{i..x.maxVar}Si- To a PPly the tactic, we 
instantiate 0 as U, Fj as Xzi- Zi — > Sj | {}, over the join semi-lattice ({5}, C, {}, {S’}}. Certainly, (J,i a 5,- 
S implies U ( -| a Si 2 S that is, UjFj(zi) D S. Applying the tactic gives us a filter (J/ ^ (z,-) U (J/ ^ (5,- ) U {} ) D S 
= U, F,(z.i) U IJ, Fi(Si) L S. that is if at any point, the union of the selected sets in z. along with all the re- 
maining sets is not at least S, then the space z can be eliminated. 

2.2 A Tactic for Calculating y/ 

Observe that in the initial space r a all value choices (from D v ) are available to every variable. The intent, 
though, is that propagation will narrow this set to only those that would lead to feasible solutions (anal- 
ogous to hyper-arc consistency in CSP). If at any point a choice set becomes empty, then that space can 
be abandoned. This is the idea behind the following tactic for y/ . The tactic applies when the variables 
( vars) of the input can be viewed as, or represent, nodes in some kind of graph structure, so we can talk 
about the “neighborhood” around a variable. 

TACTIC 2: If one of the conjuncts of O matches the form V/ €E Nj.Zi ^ Zj where N, is some neighborhood 
of points around i then a possible y/ is one in which the choice of values available to variable j does not 
contain the value assigned to variable i. 

The tactic is backed by the following theorem 


2 To simplify the presentation we have omitted the optimization aspect of many of the examples we discuss since none of our 
tactics pertain to optimization. In our actual implementation we use a generalization of GS that incorporates optimization. 
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Theorem 4. If 0(x, z) =>• V/ E Nj.Zi ^ Zjfor some set N t C x.vars then 

Z A 0(x,z) => W(x,z) C z where y/(x,z) = z{ch(j) — Z-ch(j) —% \ j E Nj} 

where the notation o{f(i ) — v\P(i)} denotes the object obtained by replacing the value of the z'th 
index of field / of object o with v when P(i) holds. The value is unchanged otherwise. 

Example 5. Maximum Independent Segment Sum Problem (MISS), [SHTOO] 

This is a variant of the well-known maximum segment sum problem (MSS) in which the goal is 
to maximize the sum of a selection of elements from a given array, with the restriction that no two 
adjacent elements can be selected. The specification of the problem is as follows: D v {False, True}, 
D 1 > CST.D x data : [Int] , O A(x,z). CST.O A Vi : 1 < i < #z.m. : Zi => _, Z;+i 

Now let Nf be the left and right neighbors of i, i.e. i — 1 and i+ 1, if z, and {} otherwise. Then in the 
case where Zi holds, y/(z) =z{ch(i+ 1) = ch ( i + 1) — {True}} which is just z{ch(i + 1) = {True}}. 

Using this tactic we have also derived a y/ function for the Graph Coloring Problem and a variety of 
puzzles including n-Queens and Sudoku. 

2.3 Summary and Future Work 

We have shown how for certain problem types, calculation of the operators <f> and y/ can be replaced 
by pattern matching and substitution. The lesson here for program synthesis is that narrowing down the 
range of problem types can lead to much faster program design. We have developed a number of other 
such tactics, which space does not permit us to describe here. We can also handle optimization problems 
by incorporating dominance relations [Smi88] and bounds tests into our approach, and have developed a 
number of tactics for their calculation. Using one such tactic, we have synthesized a previously unpub- 
lished greedy solution to the Unbounded Knapsack Problem, and another tactic for dominance relations 
led us to fast solutions to variants of the Maximum Segment Sum problem that improve on the work 
of Sasano et al., [SHTOO]. Our eventual goal is to have a library of tactics sufficient to tackle significant 
Global Search problems such as synthesizing fast planners and efficiently mapping platform independent 
models to platform specific models. 
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